2.5 Ensure aufs storage driver is not used

Information

Do not use aufs as storage driver for your Docker instance.
Rationale:
The aufs storage driver is the oldest storage driver. It is based on a Linux kernel patch-set that is unlikely to be merged into the main Linux kernel. aufs driver is also known to cause some serious kernel crashes. aufs just has legacy support from Docker. Most importantly, aufs is not a supported driver in many Linux distributions using latest Linux kernels.

Solution

Do not explicitly use aufs as storage driver.
For example, do not start Docker daemon as below:
dockerd --storage-driver aufs
Impact:
aufs is the only storage driver that allows containers to share executable and shared library memory. It might be useful if you are running thousands of containers with the same program or libraries.
Default Value:
By default, Docker uses devicemapper as the storage driver on most of the platforms. Default storage driver can vary based on your OS vendor. You should use the storage driver that is best supported by your preferred vendor.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CSCv6|18

Plugin: Unix

Control ID: c9d3e2683e15e6afddaf4c9695d0644d63ed11e7e906bbf6bc2cc73a4858d2dc